[PATCH 2/2] security, selinux: get rid of security_delete_hooks()

Stephen Smalley sds at tycho.nsa.gov
Wed Jan 8 14:49:00 UTC 2020

On 1/8/20 12:31 AM, Paul Moore wrote:
> On Tue, Jan 7, 2020 at 9:46 AM Stephen Smalley <sds at tycho.nsa.gov> wrote:
>> On 1/7/20 8:31 AM, Ondrej Mosnacek wrote:
>>> The only user is SELinux, which is hereby converted to check the
>>> disabled flag in each hook instead of removing the hooks from the list.
>>> The __lsm_ro_after_init macro is now removed and replaced with
>>> __ro_after_init directly.
>>> This fixes a race condition in SELinux runtime disable, which was
>>> introduced with the switch to hook lists in b1d9e6b0646d ("LSM: Switch
>>> to lists of hooks").
>> Not opposed (naturally, since I suggested it) but my impression from the
>> earlier thread was that Paul preferred the less invasive approach of
>> your original patch (just reordering the hooks) as a short term fix with
>> an eye toward full removal of disable support in the not-too-distant future.
> Unless we are seeing wide spread breakages (I don't think we are), or
> we decide we can never remove the runtime disable, I still prefer the
> hook-shuffle over the changes proposed in this patchset.

Note that the first patch is a necessary and correct cleanup regardless 
of this one.

More information about the Linux-security-module-archive mailing list